Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > Exploit > Content
Hot Articles
MyBulletinBoard (MyBB)
Joomla Component com_con
deV!Lz Clanportal [DZCP]
Discuz! 6.0.1 (searchid)
Boonex Dolphin 6.1.2 Mul
AuraCMS
pmaPWN! - phpMyAdmin Cod
SMF Mod Member Awards 1.
WarFTP 1.65 (USER) Remot
CMailServer 5.4.6 (CMail
VIVOTEK and NUUO Team Up
Mozilla Firefox 3.5 (Fon
OllyDBG v1.10 and ImpREC
Joomla Component com_con
BoonEx Ray 3.5 (sIncPath
Recommend Articles
Safari + Quicktime
CMailServer 5.4.6 (CMail
trixbox (langChoice) Loc
BrewBlogger 2.1.0.1 Arbi
Joomla Component com_con
Mole Group Last Minute S
BoonEx Ray 3.5 (sIncPath
Dreampics Builder (page)
Download Accelerator Plu
OllyDBG v1.10 and ImpREC
DreamNews Manager (id) R
gapicms 9.0.2 (dirDepth)
Million Pixels 3 (id_cat
Maian Cart 1.1 Insecure
Maian Music 1.0 Insecure
New Articles
ARM ifconfig eth0 and As
HP Data Protector Media
Winamp 5.5.8 (in_mod plu
Hanso Converter 1.1.0 .o
Fat Player Media Player
Comet Bird 3.6.10 Crash
PHP Hosting Directory 2.
MySQl 5.1 DLL Hijacking
Opera Denial of Service
Multiple Buffer Overflow
Postcard Mentor - Databa
Catalog Manager Database
My Vacation Tracker DLL
Microsoft Internet Explo
linux/x86 setreuid(0,0)
Multiple Buffer Overflows in Winamp
  Add date: 10/15/2010   Publishing date: 10/15/2010   Hits: 119
Total 2 pages, Current page:1, Jump to page:
 

Source: http://aluigi.org/adv/winamp_1-adv.txt
#######################################################################

                             Luigi Auriemma

Application:  Winamp
              http://www.winamp.com
Versions:     <= 5.5.8.2985 (aka v5.581)
Platforms:    Windows
Bugs:         A] integer overflow in in_mkv
              B] integer overflow in in_nsv
              C] integer overflow in in_midi
              D] buffer-overflow in in_mod
Exploitation: remote, versus server
Date:         13 Oct 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Winamp is one of the most diffused and appreciated media players for
Windows.


#######################################################################

=======
2) Bugs
=======

-----------------------------
A] integer overflow in in_mkv
-----------------------------

The in_mkv plugin uses a particular function (address 077078c0) for
reading text strings from the Matroska containers.
The operations performed are the reading of the ebml numeric value
(64bit), the allocation of memory corresponding to that value (32bit)
plus 1 and the subsequent reading of the data from the file leading to
possible code execution:

  buff = malloc(size + 1);
  if(buff) fread(buff, 1, size, fd);


-----------------------------
B] integer overflow in in_nsv
-----------------------------

The in_nsv plugin is affected by an heap-overflow caused by the
function (address 077ca422) that first verifies the size of the
metadata string contained in the file adding 1 to it and then copies
0x1fffffff bytes in a heap buffer leading to possible code execution
(077C8577 CALL DWORD PTR DS:[EAX+8]):

  memcpy(heap_buffer, attacker_data, size >> 3);


------------------------------
C] integer overflow in in_midi
------------------------------

The in_midi plugin is affected by an heap overflow during the handling
of the hmp files (a format used in some old DOS games) where a
variable-length 32bit value is used for the copying of data with
memcpy() from the attacker's data to a heap buffer which has not been

 

Other pages: : 1 * 2 * Next>>
Prev:Postcard Mentor - Database Disclosure Exploit Next:Opera Denial of Service Vulnerability

Comment:

Category: Home > Exploit
Home